Improving the architecture of middleboxes or service routers to better consolidate diverse functions

ABSTRACT

An apparatus comprising at least one receiver configured to receive a traffic flow, receive information comprising a set of functions and an order of the set from a controller, and a processor coupled to the at least one receiver and configured to assign the traffic flow to one or more resources, determine a processing schedule for the traffic flow, and process the traffic flow by the set of functions, following the order of the set, using the one or more resources, and according to the processing schedule.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority to U.S. Provisional PatentApplication No. 61/581,008 filed Dec. 28, 2011, by Norbert Egi et al.and entitled “A Service Router Architecture”, which is incorporatedherein by reference as if reproduced in its entirety.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not applicable.

REFERENCE TO A MICROFICHE APPENDIX

Not applicable.

BACKGROUND

Modern networks often deploy a range of middleboxes, which are networkappliances configured to perform a variety of services or functions.Exemplary middleboxes include wide area network (WAN) optimizers,proxies, caches, intrusion detection systems (IDS), intrusion preventionsystems, network-level and application-level firewalls,application-specific gateways, and load-balancers. A service router maybe considered a middlebox that performs not only forwarding or routingfunctions like a switch or a router, but also additional higher-valuefunctions or network applications, such as packet tagging, firewall,intrusion detection/prevention, encryption, load-balancing, and WANacceleration. According to several studies reporting on the rapid growthof middlebox deployment, the middlebox market for network securityappliances alone was estimated to be 6 billion dollars in 2010, andexpected to rise to 10 billion in 2016. In today's networks, a number ofmiddleboxes may be comparable to a number of routers. Thus, middleboxeshave become an important part of modern networks, and it is reasonableto expect that they will remain so for the foreseeable future.Middleboxes may be vital parts in various networks, such as enterprise,internet service provider (ISP), and datacenter networks.

However, today's middleboxes may be expensive and closed systems, withlittle or no hooks and application programming interfaces (APIs) forextension or experimentation of functionalities. Each middlebox may bebuilt on a particular choice of hardware platform, and may support onlya narrow specialized function (e.g., intrusion detection or WANoptimization). Further, different middleboxes may be acquired fromindependent vendors and deployed as standalone devices with littleuniformity in their management APIs. Thus, it may be desirable toimprove the architecture of middleboxes or service routers to betterconsolidate diverse functions.

SUMMARY

In one embodiment, the disclosure includes an apparatus comprising atleast one receiver configured to receive a traffic flow, receiveinformation comprising a set of functions and an order of the set from acontroller, and a processor coupled to the at least one receiver andconfigured to assign the traffic flow to one or more resources,determine a processing schedule for the traffic flow, and process thetraffic flow by the set of functions, following the order of the set,using the one or more resources, and according to the processingschedule.

In another embodiment, the disclosure includes a method comprisingreceiving a traffic flow and configuration information, wherein theconfiguration information comprises a set of functions and an order ofthe set, assigning the traffic flow to one or more resources,determining a processing schedule for the traffic flow, and processingthe traffic flow by the set of functions, following the order of theset, using the one or more resources, and according to the processingschedule.

In yet another embodiment, the disclosure includes a middleboxcomprising at least one receiver configured to receive a plurality ofpackets from a network source, receive information comprising a set offunctions and an order of the set of functions from a controller, and aprocessor implementing a local coordinator, wherein the localcoordinator is configured to compute a sum of resource needed for theplurality of packets based on the set of functions, allocate at leastone hardware resource based on the sum, determine a processing schedule,and process the plurality of packets by the set of functions, followingthe order of the set, using the at least one hardware resource, andaccording to the processing schedule.

These and other features will be more clearly understood from thefollowing detailed description taken in conjunction with theaccompanying drawings and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of this disclosure, reference is nowmade to the following brief description, taken in connection with theaccompanying drawings and detailed description, wherein like referencenumerals represent like parts.

FIG. 1 is a schematic diagram of an embodiment of a simplified networkarchitecture.

FIG. 2 is a schematic diagram of an embodiment of a packet processingscheme.

FIG. 3 is a flowchart of an embodiment of a packet processing method.

FIG. 4 is a schematic diagram of an embodiment of a network node.

DETAILED DESCRIPTION

It should be understood at the outset that, although an illustrativeimplementation of one or more embodiments are provided below, thedisclosed systems and/or methods may be implemented using any number oftechniques, whether currently known or in existence. The disclosureshould in no way be limited to the illustrative implementations,drawings, and techniques illustrated below, including the exemplarydesigns and implementations illustrated and described herein, but may bemodified within the scope of the appended claims along with their fullscope of equivalents.

Disclosed herein are apparatuses, systems, and methods for consolidatinga plurality of network applications on a shared hardware platform of amiddlebox. In a disclosed packet processing scheme, at least twodifferent types of functions are incorporated into a middlebox. Afterthe middlebox receives traffic flows from network sources andconfiguration information from a network-wide controller, a policyenforcement layer (PEL) located in the middlebox may allocate functionsand resources for the received traffic flows. The configurationinformation may specify a traffic class of each flow, a set of functionsto be used in processing the traffic flows, and applicable resourceconstraints. In an embodiment, the PEL may assign instances of functionsto one or more resources and assign a traffic flow to the instance offunctions. The PEL may have input information regarding all resources,functions, and traffic flows, so that the PEL may ensure no resource isoverloaded with processing tasks. This disclosure may address resourcemanagement and implementation challenges that arise in exploiting thebenefits of consolidation in middlebox deployments. This architecturemay enable extensibility of functionalities or network services withincreased flexibility.

FIG. 1 illustrates an embodiment of a simplified network architecture100 comprising a controller 110 and a plurality of network components ornodes, such as middleboxes 120, 140, and 160. Each middlebox may beconfigured to provide the same function or different functions. If thefunction(s) of a middlebox includes routing, the middlebox may also beinterchangeably referred to as a service router. The controller 110 maybe a centralized device or entity located in, e.g., a datacenter of anetwork, and may control all middleboxes across the network to achievenetwork-wide objectives. Alternatively, the controller 110 may be one ofmultiple controllers that are distributed within the network, with eachdistributed controller responsible for managing a portion of themiddleboxes. In this case, the network architecture 100 may representonly a portion of an entire network.

The controller 110 may be utilized to solve an optimization problem thatdetermines how traffic flows should be split across middleboxes tominimize network-wide resource consumption, while respecting resourcelimits and policy requirements of each middlebox. Accordingly, thecontroller 110 may determine how traffic flows from a network source(e.g., the Internet) should be processed by the middleboxes. Inoverseeing a network, the controller 110 may receive various inputs,such as information about the network (e.g., topology, servicesavailable at network nodes), a traffic workload, a description ofhardware resources in each middlebox, and/or a policy specification thatdescribes network-wide objectives and constraints of networkapplications. The controller 110 may analyze the inputs and produce anoutput, which may be a set of per-middlebox or per-routerconfigurations. In an embodiment, the output may be in the form of atable comprising three columns or rows. For example, a first column maycontain traffic flow identifications (IDs), which may be in any formthat enables packet classification and selection of packets belonging toa specified flow. For instance, a flow ID may be a 5-tuple of anInternet protocol (IP) packet, where the 5-tuple comprises a source IPaddress, a destination IP address, a source port number, a destinationport number, and a protocol in use. For another instance, the flow IDmay be a bitmap matched against the header(s) and/or the payload of thepackets. In addition, a second column of the output may contain a set ofservices to be executed on the traffic flow and an order of theservices. A third column of the output may contain resource constraints,which may be in the form of throughput and/or latency limitations, oramount of resources (e.g., processor, memory, input, and output) thatcan be used to process the traffic flow.

The output of the controller 110 may be considered an assignment ofprocessing responsibilities to each middlebox. For a target middlebox,such as the middlebox 120, the controller 110 may specify what trafficclass or classes are to be processed by the middlebox 120 and a flowvolume in each traffic class. The flow volume may be expressed as afraction of a total flow volume received by the network 100. Forexample, if the network 100 receives a traffic flow that is too largefor one middlebox to process, the controller 110 may assign the trafficflow to be processed by 10 middleboxes, each taking a 1/10 fraction. Inan embodiment, the assignment information may be described by a set of(traffic class, fraction) pairs. In addition, the output of thecontroller 110 may specify one or more functions or services associatedwith each traffic class as well as an execution order that the one ormore functions follow.

In describing working principles of middleboxes, the middlebox 120 willbe used as a representative example. The middlebox 120 may be configuredto receive traffic flows from a network source (e.g., the Internet). Atraffic flow may comprise a plurality of packets, each of which is aformatted unit of data supported by the network. A traffic flow may be asequence of packets that are identified by the same parameters typicallyresiding in the header of the packets, such as source and destination IPaddresses, ports, and protocol numbers. Further, the middlebox 120 maybe configured to receive the output of the controller 110, whichcontains information regarding how to process the traffic flows. Then,the middlebox 120 may process the traffic flows according toconfigurations determined by the controller 110.

As shown in FIG. 1, the middlebox 120 comprises a hardware platform 122,a number of functions and modules, and a local coordinator 124 inbetween. The hardware platform 122 may comprise any appropriate type ofhardware, such as processor or central processing unit (CPU), memory,disk, screen or display, input/output device, network bandwidth orcapacity, or any combination thereof. The local coordinator 124 mayconsolidate the functions and modules, which may be implemented assoftware, on the shared hardware platform 122.

A function or network application incorporated in the middlebox 120 maybe categorized as a standalone function or an extensible function. Forillustrative purposes, three standalone functions 126 as well as twoextensible functions 128 and 130 are shown in FIG. 1. Nevertheless, itshould be understood that, depending on the application, any numberand/type of functions may be incorporated in the middlebox 120. Thestandalone functions 126 may neither depend on nor need any informationfrom another function or module. For example, in the case of astandalone function 126 being a firewall, the firewall may process apacket, e.g., filtering it through an access control unit, withoutneeding any information from another function or module. Further, anytwo standalone functions may perform the same or different services. Onthe other hand, each extensible function may depend on or useinformation from other module(s) in order to process a packet. In anembodiment, the extensible function 128 may be built on top of a module132, and the extensible function 130 on a module 134. For example, themodule 132 may be a packet merger configured to buffer all receivedpackets. After the last packet of a desired traffic flow is received bythe module 132, all packets may be merged and forwarded to theextensible function 128 (e.g., an intrusion detection system).

Further, as shown in FIG. 1, the modules 132 and 134 may be built onanother module 136, which may implement a common function that is usedby both the modules 132 and 134. The modules 132, 134, and 136(sometimes referred to as sub-functions) may perform some basic packetprocessing (e.g., splitting or merging of packets), so that they mayassist other functions. Note that the extensible functions 126 and 128may also be built directly on the module 136 (i.e., without the modules132 and 134). A common function or sub-function may be shared by otherdifferent functions (e.g. encryption or decryption, and transmissioncontrol protocol (TCP) offloading or coalescing). For example, themodule 136 may be a port control protocol (PCP) upload engine that isshared by a hypertext transfer protocol (HTTP) service (i.e., theextensible function 126) and a file transfer protocol (FTP) service(i.e., the extensible function 128). Thus, the common sub-function maybe executed by a single module (e.g., the module 136) accessed bymultiple functions or modules applications. This implementation mayimprove processing efficiency and reduce resource footprint, compared toa case in which every function runs a separate instance of the commonsub-function.

To process a traffic flow comprising multiple packets, the functions126, 128, and 130 may be implemented to perform any type offunctionality or service, such as packet tagging, forwarding, androuting, firewall, intrusion detection/prevention, encryption,load-balancing, and WAN acceleration. In an embodiment, at least twodifferent types of functions are incorporated inside the middlebox 120.

In an embodiment, the local coordinator 124 may be configured toremotely interact with the network-wide controller 110, e.g., via areceiver. Thus, for a traffic flow comprising a plurality of packets,the local coordinator 124 may obtain from the output of the controller110 configuration information, such as a flow ID, a set and order offunctions, and resource constraints. Based on this information, thelocal coordinator 124 may perform various tasks. As a first task, if thepackets need to be processed by multiple functions with a partialprecedence order between them, the local coordinator 124 may steer ordirect packets from one function to another based on the executionorder. Since different functions may have been obtained from differentvendors, they may be unaware of each other, thus the local coordinator124 is responsible for steering a packet and any intermediate processingresult between functions. Eventually, after the packets are processed byfunctions in the set of functions, the local coordinator 124 may forwardor route the packets to another network node (e.g., a middlebox, arouter, or a server). As a second task, to efficiently multiplexdifferent functions on the shared hardware platform 122, the localcoordinator 124 may allocate hardware/software resource(s) to the set offunctions, and determine the schedule of allocation. For example, thelocal coordinator 124 may check how much resource is being used by aparticular function. In case the function is exceeding its allocatedresources, its execution may be pre-empted or slowed down.

Based on above descriptions, the middlebox 120 may be considered amodular system architecture that consolidates different networkfunctionalities in a single hardware platform. In implementation, themiddlebox 120 may be a commodity computer system or server system. Inaddition to software, the middlebox 120 may include hardwareaccelerators, such as one or more global processing units (GPUs) orfield-programmable gate arrays (FPGAs). Alternatively, the middlebox 120may be fully hardware-based, e.g., developed in an application-specificintegrated circuit (ASIC). In different stages of product development,there may be different way to implement functions and modules. Forexample, a function may be first implemented by software, thenre-implemented by FPGA after experimental testing, and eventuallyre-implemented by ASIC after the function is confirmed to be fullyfunctional.

FIG. 2 illustrates an embodiment of a packet processing scheme 200implemented by a middlebox (e.g., the middlebox 120). In particular, alocal coordinator (e.g., the local coordinator 124) may be configured toimplement a classification module 210, a number of virtual queues 220,and a policy enforcement layer (PEL) 230. The local coordinator may befurther configured to allocate and schedule resources 240, 242, and 244to functions 250, 252, 254, and 256. It should be understood that FIG. 2merely serves an illustrative example of a packet processing scheme, andthat depending on the application, any other number of virtual queues,resources, and functions may be used within the scope of thisdisclosure. The scheme 200 may be understood to be a logical view of amiddlebox.

In an embodiment, an incoming traffic flow comprising a plurality ofpackets may first be classified by a classification module 210 toidentify what traffic class the packets belong to. There may be variousapproaches to define traffic classes, and exemplary traffic classes mayinclude delay-sensitive traffic, best-effort traffic, undesired traffic,or traffic destined to be processed by a given set of functionalities ina specified or unspecified order. As mentioned previously, aside fromthe traffic flow, a flow ID (e.g., a bitmap) may also be received from acontroller. Thus, the flow ID may be used to determine which trafficclass the traffic flow belongs to. Packet classification may beimplemented to occur in a network interface card receiving the packets,or in software or a special hardware accelerator inside the middlebox,or at a switch in a front-end of the middlebox.

After classification, the traffic flow may be presented to the PEL 230in a virtual queue. There may be a plurality of virtual queues, eachcorresponding to one traffic class. The PEL 230 may have informationabout how much resource and bandwidth is assigned to each traffic class,which functions to use for each traffic class, and how much resourceseach function is assigned. Thus, the PEL 230 may be responsible forsteering or directing the packets between the different functions and inthe appropriate order, if multiple functions are required to process thepackets. In doing so, the PEL 230 may steer packets only to thosefunction(s) which have resources left. Then, the packets may beprocessed by the designated function(s). Depending on its traffic class,the traffic flow may be processed by different functions and/orresources (determined by the controller).

Any of the functions 250, 252, 254, and 256 may be a standalone or anextensible function. Different functions may use the same resource ordifferent resources. For example, as shown in FIG. 2, the functions 250and 252 may use the resource 240, while the function 256 may use theresources 242 and 244. Any of the resources 240, 242, and 244 may referto any hardware and/or software resource. Exemplary hardware resourcesinclude, but are not limited to, CPU, memory, disk, screen or display,input/output device, network bandwidth, and combinations thereof.Exemplary software resources include, but are not limited to, web page,media content, newsgroup content, file, software object, database,access control list, and combinations thereof.

The packet processing scheme 200 may be used in a virtualized networkarchitecture, wherein each traffic class may be treated as a virtualnetwork and processed separately and independently. In this case,functions for each traffic class may also be implemented individually.

In order to consolidate multiple functions for different incomingtraffic flows, the PEL 230 may obtain various input information, whichallows it to determine which flows should be executed by whichprocesses, set the affinity between processes and resources, scheduleprocesses in the right time and order, and ensure that the resourceguarantees are met. Exemplary input information of the PEL include, butare not limited to, the following:

-   -   Traffic flows to be processed by the middlebox. The traffic        flows may be denoted as F in the form of {F₀, F₁, . . . , F_(n),        . . . , F_(N)}, where F_(n) represents an amount of traffic for        one flow (e.g., measured in units of megabits per second        (Mbps)), (N+1) indicates a number of the traffic flows, and n is        an integer between 0 and N.    -   Functions or network applications running in the middlebox. The        functions may be denoted as A in the form of {A₀, A₁, . . . ,        A_(p), . . . , A_(P)}, where A_(p) represents one of the        functions, (P+1) indicates a number of the functions, and p is        an integer between 0 and P.    -   Resource types (e.g., CPU, memory, or network bandwidth). The        resource types may be denoted as R in the form of {R₀, R₁, . . .        , R_(x), . . . , R_(X)}, where R_(x) represents an amount of        resource in one type, (X+1) indicates a number of the resource        types, and x is an integer between 0 and X.    -   Amount of resources per core in each resource type. For example,        the resource type is CPU, which may have multiple cores each        with a specific amount of resource (e.g., measured in        gigahertz). The amount of resources per type may be denoted as        R_(x) (i.e., for type x) in the form of {R_(x0), R_(x1), . . . ,        R_(xz), . . . , R_(xZ)}, where R_(xz) represents one of the        cores, (X+1) indicates a number of cores, and x is an integer        between 0 and X.    -   Amount of resources needed for a function to process a fixed        unit (e.g., measured in Mbps) of traffic flow. For example, for        a function A_(p), the amount of resource needed for A_(p) to        process 1 Mbps of flow may be denoted as {J*R₀, K*R₁, . . . ,        L*R_(X)}, where J, K, and L are fractional numbers between 0 and        1.    -   A set of applications the traffic flows have to go through. For        example, as provided by the output of a controller, a traffic        flow may go through multiple functions in a pre-determined        order, such as A₀, A₂, A₁, A₃.

FIG. 3 illustrates an embodiment of a packet processing method 300,which may be implemented by a middlebox (e.g., the middlebox 120). Themethod 300 receive, process and forward traffic flows, and may use inputinformation to a PEL. The method 300 may start in step 310, where atraffic flow comprising a plurality of packets may be received from anetwork source (e.g., the Internet). In use, multiple traffic flows maybe received by the middlebox, and one traffic flow is described here toillustrate principles of this disclosure. In step 320, configurationinformation may be received from a controller (e.g., the controller110). The configuration information is the output of the controller, andmay include a table specifying a flow ID, a set of functions and anorder of the set, and resource constraints. In step 330, a processor inthe middlebox may determine a traffic class of the traffic flow by usingthe flow ID. In step 340, the processor may compute or calculate a sumof one or more resources needed to process the traffic flow based on theset of functions and resource requirements of each function. Then, theprocessor may assign the traffic flow to one or more resources, or inother words, allocate the one or more resources for the traffic flow.Specifically, in step 350, the processor may assign an instance of afirst function or network application to a first resource, wherein thefirst function belongs to the set of functions, and the first resourcebelongs to the one or more resources. The instance of a function,sometimes also referred to as a process, may indicate one execution oroperation of the function. Note that assigning the instance of the firstfunction to a first resource does not indicate that the first functionis limited to the first resource, as the first function may also beassigned to a second resource, a third resource, and so forth. In step360, the processor may assign the traffic flow to the instance of thefirst function. Note that the traffic flow may be assigned to aninstance of a second function, a third function, etc., in the set offunctions. Further, the processor is capable of ensuring that noresource is assigned more instances of functions than what they can copewith (i.e., resource constraints).

In step 370, the processor may compute a most utilized resource amongmultiple resources needed for the set of functions based on inputinformation of a PEL. In step 380, the processor may determine aprocessing schedule for the traffic flow. Specifically, the instances offunctions and the traffic flow in each instance of function may bescheduled. For example, the processor may schedule when to execute theinstance of the first function using the first resource (and otherresources if needed) and when to process the traffic flow by theinstance of the first function. Likewise, the processor may furtherschedule when to execute the instance of the second function using thesecond resource (and other resources if needed) and when to furtherprocess the traffic flow (already processed by the first function) bythe instance of the second function. Scheduling may be based on the mostutilized resource obtained in the preceding step. In an embodiment, atraffic flow may be scheduled in proportion to its requirements of themost utilized resource. For example, at every X (X is a positiveinteger) scheduling steps, a scheduler implemented by the processor mayregularly determine which hardware resource is the most utilized,determine every flow's requirement of this resource, and schedule theflows in a way that fulfills requirements of fair scheduling of thismost utilized resource. That is, the scheduler may schedule flows whenthey have shares to use of the resource, and may unschedule them whenthey run out of shares of the resource. Alternatively, scheduling may becarried out based on other factors, in which case step 370 may bemodified or skipped. Further, scheduling may use various algorithms,such as a time-slice-based algorithm, a run-to-completion algorithm, ora combination of the two. In the time-slice-based algorithm, a schedulerimplemented by the processor may run once every time slice to choose anext instance of function to execute. Time slice, or quantum, may referto a period of time for which the instance is allowed to run withoutpotential preempting. Run-to-completion algorithm may be a schedulingmodel in which each function may run until it either finishes, orexplicitly yields control back to the scheduler. In addition, a PEL(e.g., the PEL 230), which may be part of the processor, may be themodule implementing steps 330-380.

In step 390, the processor may process the traffic flow by the set offunctions, following the order of the set, using the one or moreresources, and according to the processing schedule. It should beunderstood that the method 300 may include only a portion of allnecessary steps in handling a traffic flow. Thus, other steps oraspects, such as a detailed procedure of each function, queuing thetraffic flow, forwarding the processed traffic flow to another networknode, may be incorporated into the method 300 wherever appropriate.Further, one skilled in the art will recognize that, in use, themiddlebox may receive a plurality of traffic flows potentially belongingto different classes. Some or all of the steps described in the method300 may be repeated for each traffic flow the middlebox receives.Moreover, execution order of the steps in the method 300 may beflexible, provided that one step does not depend on result(s) producedby its preceding step. Certain steps may be combined, modified, orskipped.

The schemes described above may be implemented on a network component,such as a computer or network component with sufficient processingpower, memory resources, and network throughput capability to handle thenecessary workload placed upon it. FIG. 4 illustrates an embodiment of anetwork component or node 1300 suitable for implementing one or moreembodiments of the methods and schemes disclosed herein, such as thepacket processing scheme 200 and the packet processing method 300.Further, the network node 1300 may be configured to implement any of theapparatuses described herein, such as the controller 110 and themiddlebox 120 (referred to as a service router if including a routingfunction).

The network node 1300 includes a processor 1302 that is in communicationwith memory devices including secondary storage 1304, read only memory(ROM) 1306, random access memory (RAM) 1308, input/output (I/O) devices1310, and transmitter/receiver 1312. Although illustrated as a singleprocessor, the processor 1302 is not so limited and may comprisemultiple processors. The processor 1302 may be implemented as one ormore central processor unit (CPU) chips, cores (e.g., a multi-coreprocessor), field-programmable gate arrays (FPGAs), application specificintegrated circuits (ASICs), and/or digital signal processors (DSPs),and/or may be part of one or more ASICs. The processor 1302 may beconfigured to implement any of the schemes described herein, includingthe packet processing scheme 200 and the packet processing method 300.The processor 1302 may be implemented using hardware or a combination ofhardware and software.

The secondary storage 1304 is typically comprised of one or more diskdrives or tape drives and is used for non-volatile storage of data andas an over-flow data storage device if the RAM 1308 is not large enoughto hold all working data. The secondary storage 1304 may be used tostore programs that are loaded into the RAM 1308 when such programs areselected for execution. The ROM 1306 is used to store instructions andperhaps data that are read during program execution. The ROM 1306 is anon-volatile memory device that typically has a small memory capacityrelative to the larger memory capacity of the secondary storage 1304.The RAM 1308 is used to store volatile data and perhaps to storeinstructions. Access to both the ROM 1306 and the RAM 1308 is typicallyfaster than to the secondary storage 1304.

The transmitter/receiver 1312 may serve as an output and/or input deviceof the network node 1300. For example, if the transmitter/receiver 1312is acting as a transmitter, it may transmit data out of the network node1300. If the transmitter/receiver 1312 is acting as a receiver, it mayreceive data into the network node 1300. The transmitter/receiver 1312may take the form of modems, modem banks, Ethernet cards, universalserial bus (USB) interface cards, serial interfaces, token ring cards,fiber distributed data interface (FDDI) cards, wireless local areanetwork (WLAN) cards, radio transceiver cards such as code divisionmultiple access (CDMA), global system for mobile communications (GSM),long-term evolution (LTE), worldwide interoperability for microwaveaccess (WiMAX), and/or other air interface protocol radio transceivercards, and other well-known network devices. The transmitter/receiver1312 may enable the processor 1302 to communicate with an Internet orone or more intranets. I/O devices 1310 may include a video monitor,liquid crystal display (LCD), touch screen display, or other type ofvideo display for displaying video, and may also include a videorecording device for capturing video. I/O devices 1310 may also includeone or more keyboards, mice, or track balls, or other well-known inputdevices.

It is understood that by programming and/or loading executableinstructions onto the network node 1300, at least one of the processor1302, the secondary storage 1304, the RAM 1308, and the ROM 1306 arechanged, transforming the network node 1300 in part into a particularmachine or apparatus (e.g., a middlebox or service router having thenovel functionality taught by the present disclosure). The executableinstructions may be stored on the secondary storage 1304, the ROM 1306,and/or the RAM 1308 and loaded into the processor 1302 for execution. Itis fundamental to the electrical engineering and software engineeringarts that functionality that can be implemented by loading executablesoftware into a computer can be converted to a hardware implementationby well-known design rules. Decisions between implementing a concept insoftware versus hardware typically hinge on considerations of stabilityof the design and numbers of units to be produced rather than any issuesinvolved in translating from the software domain to the hardware domain.Generally, a design that is still subject to frequent change may bepreferred to be implemented in software, because re-spinning a hardwareimplementation is more expensive than re-spinning a software design.Generally, a design that is stable that will be produced in large volumemay be preferred to be implemented in hardware, for example in anapplication specific integrated circuit (ASIC), because for largeproduction runs the hardware implementation may be less expensive thanthe software implementation. Often a design may be developed and testedin a software form and later transformed, by well-known design rules, toan equivalent hardware implementation in an application specificintegrated circuit that hardwires the instructions of the software. Inthe same manner as a machine controlled by a new ASIC is a particularmachine or apparatus, likewise a computer that has been programmedand/or loaded with executable instructions may be viewed as a particularmachine or apparatus.

At least one embodiment is disclosed and variations, combinations,and/or modifications of the embodiment(s) and/or features of theembodiment(s) made by a person having ordinary skill in the art arewithin the scope of the disclosure. Alternative embodiments that resultfrom combining, integrating, and/or omitting features of theembodiment(s) are also within the scope of the disclosure. Wherenumerical ranges or limitations are expressly stated, such expressranges or limitations should be understood to include iterative rangesor limitations of like magnitude falling within the expressly statedranges or limitations (e.g., from about 1 to about 10 includes, 2, 3, 4,etc.; greater than 0.10 includes 0.11, 0.12, 0.13, etc.). For example,whenever a numerical range with a lower limit, R_(l), and an upperlimit, R_(u), is disclosed, any number falling within the range isspecifically disclosed. In particular, the following numbers within therange are specifically disclosed: R=R_(l)+k*(R_(u)−R_(l)), wherein k isa variable ranging from 1 percent to 100 percent with a 1 percentincrement, i.e., k is 1 percent, 2 percent, 3 percent, 4 percent, 5percent, . . . , 70 percent, 71 percent, 72 percent, . . . , 95 percent,96 percent, 97 percent, 98 percent, 99 percent, or 100 percent.Moreover, any numerical range defined by two R numbers as defined in theabove is also specifically disclosed. The use of the term “about”means±10% of the subsequent number, unless otherwise stated. Use of theterm “optionally” with respect to any element of a claim means that theelement is required, or alternatively, the element is not required, bothalternatives being within the scope of the claim. Use of broader termssuch as comprises, includes, and having should be understood to providesupport for narrower terms such as consisting of, consisting essentiallyof, and comprised substantially of. Accordingly, the scope of protectionis not limited by the description set out above but is defined by theclaims that follow, that scope including all equivalents of the subjectmatter of the claims. Each and every claim is incorporated as furtherdisclosure into the specification and the claims are embodiment(s) ofthe present disclosure. The discussion of a reference in the disclosureis not an admission that it is prior art, especially any reference thathas a publication date after the priority date of this application. Thedisclosure of all patents, patent applications, and publications citedin the disclosure are hereby incorporated by reference, to the extentthat they provide exemplary, procedural, or other details supplementaryto the disclosure.

While several embodiments have been provided in the present disclosure,it may be understood that the disclosed systems and methods might beembodied in many other specific forms without departing from the spiritor scope of the present disclosure. The present examples are to beconsidered as illustrative and not restrictive, and the intention is notto be limited to the details given herein. For example, the variouselements or components may be combined or integrated in another systemor certain features may be omitted, or not implemented.

In addition, techniques, systems, subsystems, and methods described andillustrated in the various embodiments as discrete or separate may becombined or integrated with other systems, modules, techniques, ormethods without departing from the scope of the present disclosure.Other items shown or discussed as coupled or directly coupled orcommunicating with each other may be indirectly coupled or communicatingthrough some interface, device, or intermediate component whetherelectrically, mechanically, or otherwise. Other examples of changes,substitutions, and alterations are ascertainable by one skilled in theart and may be made without departing from the spirit and scopedisclosed herein.

What is claimed is:
 1. An apparatus comprising: at least one receiver configured to: receive a traffic flow; receive information comprising a set of functions and an order of the set from a controller and a flow identification (ID) assigned by the controller, wherein the set of functions comprises a first function, wherein the flow ID assigned by the controller is used to determine a traffic class of the traffic flow, and received separately from the traffic flow provided by a network source; and a processor coupled to the at least one receiver and configured to: assign the traffic flow to one or more resources including a first resource by assigning an instance of the first function to the first resource and assigning the traffic flow to the instance of the first function; determine a processing schedule for the traffic flow by scheduling when to execute the instance of the first function using the first resource, scheduling when to process the traffic flow by the instance of the first function, and using a time-slice-based algorithm, a run-to-completion algorithm, or both; process the traffic flow by the set of functions in accordance with the traffic class determined from the flow ID, following the order of the set, using the one or more resources, and according to the processing schedule; and compute a sum of the one or more resources based on the set of functions, wherein assigning the traffic flow is based on the sum.
 2. An apparatus comprising: at least one receiver configured to: receive a traffic flow; receive information comprising a set of functions and an order of the set from a controller and a flow identification (ID) assigned by the controller, wherein the flow ID assigned by the controller is received separately from the traffic flow; and a processor coupled to the at least one receiver and configured to: assign the traffic flow to one or more resources; and determine a processing schedule for the traffic flow; process the traffic flow by the set of functions, following the order of the set, using the one or more resources, and according to the processing schedule; compute a sum of the one or more resources based on the set of functions, wherein assigning the traffic flow is based on the sum; and determine a most utilized hardware resource in the one or more resources, wherein determining the processing schedule is based on the most utilized hardware resource, wherein the set of functions comprises a first function, wherein the one or more resources comprises a first resource, and wherein assigning the traffic flow comprises: assigning an instance of the first function to the first resource; and assigning the traffic flow to the instance of the first function.
 3. The apparatus of claim 1, wherein the processor is further configured to, before computing a total amount of the one or more resources, determine a traffic class of the traffic flow using the flow ID.
 4. The apparatus of claim 1, wherein the set of functions further comprises a second function, wherein the second function trails the first function in the order of the set, wherein the one or more resources further comprises a second resource, wherein assigning the traffic flow further comprises: assigning an instance of the second function to the second resource; and assigning the traffic flow to the instance of the second function, and wherein processing the traffic flow comprises: processing the traffic flow by the first function and using the first resource; directing the processed traffic flow to the second function; and processing the processed traffic flow by the second function and using the second resource.
 5. The apparatus of claim 1, wherein the set of functions comprises packet tagging, packet forwarding, packet routing, firewall, intrusion detection, intrusion prevention, encryption, decryption, load balancing, wide area network (WAN) optimization, proxy, and combinations thereof.
 6. The apparatus of claim 1, wherein the processor is further configured to ensure no resource is overloaded when assigning the traffic flow to the one or more resources.
 7. A method comprising: receiving a traffic flow and configuration information from a controller, wherein the configuration information comprises a flow identification (ID) assigned by the controller, a set of functions including a first function and a second function, and an order of the set where the second function trails the first function, wherein the flow ID assigned by the controller is used to determine a traffic class of the traffic flow, and received independently from the traffic flow provided by a network source; assigning the traffic flow to one or more resources including a first resource and a second resource, wherein assigning the traffic flow comprises assigning an instance of the first function to the first resource, assigning the traffic flow to the instance of the first function, assigning an instance of the second function to the second resource, and assigning the traffic flow to the instance of the second function; determining a processing schedule for the traffic flow; and processing the traffic flow by the set of functions in accordance with the traffic class determined from the flow ID, following the order of the set, using the one or more resources, and according to the processing schedule, wherein processing the traffic flow comprises processing the traffic flow by the first function and using the first resource, directing the processed traffic flow to the second function, and processing the processed traffic flow by the second function and using the second resource.
 8. The method of claim 7, further comprising computing a sum of the one or more resources based on the set of functions, wherein assigning the traffic flow is based on the sum.
 9. The method of claim 8, wherein determining the processing schedule comprises: scheduling when to execute the instance of the first function using the first resource; and scheduling when to process the traffic flow by the instance of the first function.
 10. A method comprising: receiving a traffic flow and configuration information from a controller, wherein the configuration information comprises a flow identification (ID) assigned by the controller, a set of functions, and an order of the set, wherein the flow ID assigned by the controller is received independently from the traffic flow; assigning the traffic flow to one or more resources; determining a processing schedule for the traffic flow; processing the traffic flow by the set of functions, following the order of the set, using the one or more resources, and according to the processing schedule; computing a sum of the one or more resources based on the set of functions, wherein assigning the traffic flow is based on the sum; and determining a most utilized hardware resource in the one or more resources, wherein determining the processing schedule is based on the most utilized hardware resource, wherein the set of functions comprises a first function, wherein the one or more resources comprises a first resource, and wherein assigning the traffic flow comprises: assigning an instance of the first function to the first resource; and assigning the traffic flow to the instance of the first function.
 11. The method of claim 9, wherein determining the processing schedule comprising using a time-slice-based algorithm, a run-to-completion algorithm, or both.
 12. The method of claim 7, further comprising: ensuring no resource is overloaded when assigning the traffic flow to the one or more resources.
 13. A middlebox comprising: at least one receiver configured to: receive a plurality of packets from a network source; receive information comprising a set of functions and an order of the set of functions from a controller and a flow identification (ID) assigned by the controller, wherein the set of functions includes a first function and a second function, wherein the second function trails the first function in the order of the set, wherein the flow ID is used to determine a traffic class of the packets in a traffic flow, and provided separate from the traffic flow provided by a network source; and a processor implementing a local coordinator, wherein the local coordinator is configured to: compute a sum of resource needed for the plurality of packets based on the set of functions; allocate at least one hardware resource including a first resource and a second resource based on the sum by assigning an instance of the first function to the first resource and an instance of the second function to the second resource and assigning the traffic flow to the instances of the first and second functions; determine a processing schedule; and process the plurality of packets by the set of functions in accordance with the traffic class determined from the flow ID, following the order of the set, using the at least one hardware resource, and according to the processing schedule, wherein processing the plurality of packets comprises processing the plurality of packets by the first function and using the first resource, steering the processed packets to the second function, and processing the processed packets by the second function and using the second resource. 